A new phishing attack is being used to steal user credentials from Microsoft SharePoint and OneDrive users, regardless of whether or not login credentials are changed at a later stage. Reports of the attack, which began surfacing in late 2019, alleged that Microsoft Office 365 OAuth apps – apps which grant access to a website without the use of a password – are being leveraged by hackers to gain access to cloud information belonging to corporate users.
Discovered by threat intelligence and mitigation firm PhishLabs in December 2019, the breach allows attackers to hijack a recipient account and gain untrammeled access to a user’s email address, files, contacts, username and password.
A new type of phishing attack
The attack method is reportedly designed to resemble an ordinary Office 365 permissions page. Because it uses the existing architecture used by OAuth apps and Office 365 OAuth APIs, the attack takes on the appearance of a credible Office 365 Add-In. What’s more, the request is generated by an app that is built on information stolen from above-board organizations, according to PhishLabs.
Using this tactic, the hackers are able to use the official Office 365 login page, login.microsoftonline.com, as the staging ground for their phishing attack. Once the OAuth apps receive its requested permissions, the hackers will then be able to fully access to the user’s Office 365 account, granting them access which stops only at the ability to send emails.
According to Stu Sjouwerman, Founder and CEO of KnowBe4, employees ought to be aware of the fact that phishing attacks via OAuth apps can come in a variety of different forms. “[The] new phishing attack spotted by security researchers at PhishLabs uses a malicious Office 365 App rather than the traditional spoofed logon page to gain access to a user’s mailbox,” he points out. “The usefulness of a captured Office 365 user logon to an attacker is only valuable until the logon’s owner realizes they’ve been compromised, and their password is changed.”
It was in this way – through the exploitation of Add-in features – that the Office OAuth apps hackers were successfully able to introduce a new type of phishing attack.
“Using traditional phishing tactics,” Sjouwerman explains, “victims are lured into clicking on a malicious link that appears to be hosted in SharePoint Online or in OneDrive. The malicious payload is a URL link that requests access to a user’s Office 365 mailbox. To eliminate the malicious access, the app must be disconnected – a completely separate process.”
Sjouwerman goes on to explain that, with adequate security training in the workplace, phishing attacks are relatively easy to protect against. “The good news is that your users still need to fall for the initial phishing email asking them to click the malicious link,” he says. “Organizations that put users through continual security awareness training know their users have been taught to easily spot attempted attacks like this and not fall for them.”
The crucial defence of OAuth apps
The recent phishing attack is not the first time such methods have been used to target cloud users. Back in 2017, over one million Google Docs users saw their email addresses and contacts compromised by hackers in a phishing scheme that successfully targeted Google’s OAuth apps. The company managed to protect its users and halt the attack within the space of only one hour by effectively locating and removing the accounts responsible.
However, in the case of the attack against Office 365’s OAuth apps, the response does not appear to have been quite as decisively coordinated as it was in Google’s case.
Currently, Microsoft claims that efforts are being made to disable malicious attacks made against its OAuth apps if and when they arise. According to Jeff Jones, the company’s Senior Director, the phishing attack “relies on a sophisticated phishing campaign that invites users to permit a malicious Azure Active Directory Application.” He said in a statement provided to KrebsOnSecurity that Microsoft has “notified impacted customers” and “worked with them to help remediate their environments.”
Although Microsoft has also put forward steps to protect users from such attacks in the future, PhishLabs suggests that these steps should be taken even further. Among their recommendations is that businesses restrict the installation of apps from outside of the Office Store. And as phishing attacks on corporate targets and OAuth apps become increasingly sophisticated and cunning, PhishLabs also suggests that businesses include instruction on how to identify such social engineering attacks into their security awareness training.